To make matters worse,the report from the mobile-security firmWandera says this problem occurs when users try to mark their homes or other sensitive spots as private, not because of any failure to enable the right privacy settings.

In fewer words, people who followed the company’s advice about how to keep their home addresses private may have instead made them easier to find.

“Using the ending points of an activity, it is possible to determine which radius option was selected by the user and then to triangulate the exact location of the selected address,” the report says. “As the privacy zone is of equal size in each activity, it’s possible to represent this graphically by increasing the radius of circles around each activity end marker until three or more circles intersect.”

Think of theVenn diagrams that have become their own internet meme, except that in this case they let other people know where you live, or at least where you keep your expensive, carbon-fiber road bicycle.

“The re-identification strategy discussed here (points on a circle) appears to be effective and quite problematic,” said Stacey Gray, policy counsel with theFuture of Privacy Forum, a Washington D.C.-based think tank. “It might be unique to Strava … I’m not aware of any other fitness app that allows similar radius-based zones of privacy.”

The post says the San Francisco-based company is “reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent” and is working on “simplifying our privacy and safety features.”

But on Wednesday, Strava spokesman Andrew Vontz addressed Wandera’s report specifically. “While Strava’s engineering team has been working to augment and improve privacy options well before we were contacted by this company and others, we appreciate their interest in our platform,” he said. “In the coming weeks Strava will be rolling out more privacy options for users.”

What Strava could do instead

Wandera has ideas of its own about how to fix this problem.

“Strava should look at randomizing the distance that their privacy zone uses for each activity so that the radius can’t be used to determine the exact hidden location,” wrote Dan Cuddeford, director of systems engineering, in an email forwarded by a publicist.

For example, he said, Tinder suffered from the same issue untilInclude Security documented how the dating app’s implementation of a location feature could help an attacker pinpoint a Tinder user’s location to within 100 feet.

“Tinder has since updated the app and now it only shows a rounded distance rather than a precise distance,” Cuddeford said.

Cuddeford added that Wandera offered this recommendation to Strava when it disclosed this research to the company last year. Wandera says Strava’s response was more or less, the “privacy zones were working as intended and users could opt-out entirely if required.”

He had some counterintuitive advice for Strava users — Wandera employees are among them — to use the app more privately: Turn off privacy zones. Instead, he recommended an analog implementation of a privacy zone: “Don’t start/stop Strava activities until you are a random distance from your sensitive location.”

Strava’s other usability problem

Wandera, however, skips over another usability failing with Strava: To use Privacy Zones at all, you have to set aside the mobile app in which you’d otherwise exclusively interact with the service andinstead go to its web site.

Gray — after noting that Strava’s privacy options overall seem “to be at or above the industry norms in most respects”—did not approve of that omission. Nor did she endorse Strava’s app not giving users a way to opt out of having their activity aggregated into the heatmap.

But, she added, even if an app puts privacy-protecting options in plain sight, that doesn’t mean its users will stop to consider and use them: “Most consumers do not understand this aspect of data practices of apps that collect location.”